WSGI question: reading headers before message body has been read
Diez B. Roggisch
deets at nospam.web.de
Sun Jan 18 17:54:15 EST 2009
Ron Garret schrieb:
> On Jan 18, 12:40 pm, "Diez B. Roggisch" <de... at nospam.web.de> wrote:
>> Ron Garret schrieb:
>>
>>
>>
>>> On Jan 18, 11:29 am, "Diez B. Roggisch" <de... at nospam.web.de> wrote:
>>>> Ron Garret schrieb:
>>>>> I'm writing a WSGI application and I would like to check the content-
>>>>> length header before reading the content to make sure that the content
>>>>> is not too big in order to prevent denial-of-service attacks. So I do
>>>>> something like this:
>>>>> def application(environ, start_response):
>>>>> status = "200 OK"
>>>>> headers = [('Content-Type', 'text/html'), ]
>>>>> start_response(status, headers)
>>>>> if int(environ['CONTENT_LENGTH'])>1000: return 'File too big'
>>>>> But this doesn't seem to work. If I upload a huge file it still waits
>>>>> until the entire file has been uploaded before complaining that it's
>>>>> too big.
>>>>> Is it possible to read the HTTP headers in WSGI before the request
>>>>> body has been read?
>>>> AFAIK that is nothing that WSGI defines - it's an implementation-detail
>>>> of your server. Which one do you use?
>>> Apache at the moment, with lighttpd as a contender to replace it.
>> Together with mod_wsgi?
>>
>> Diez
>
> Yes. (Is there any other way to run WSGI apps under Apache?)
Well, not so easy, but of course you can work with mod_python or even
CGI/fastcgi to eventually invoke a WSGI-application.
However, the original question - that's a tough one.
According to this, it seems one can use an apache-directive to prevent
mod_wsgi to even pass a request to the application if it exceeds a
certain size.
http://code.google.com/p/modwsgi/wiki/ConfigurationGuidelines
Search for "Limiting Request Content"
However, I'm not sure how early that happens. I can only suggest you try
& contact Graham Dumpleton directly, he is very responsive.
Diez
More information about the Python-list
mailing list